For our software we use hardware dongles to protect the software. No protection is perfect but this commercial solution is affordable and keeps honest people honest (as mentioned in another thread). The advantage is the 128 bit key that is stored 'unreadable' on the hardware dongle.

We want to remove this hardware dongle and start using software protection. Basically we can use a commercial product, but on the other hand that won't be unbreakable either. I don't know much about encryption and that's why I am posting this. How do I store a key on a Windows computer that will not be possible to read by using Reflector or something else? However I should be able to access the key for testing the license code.

I would just like a simple solution that can't be hacked by simply using Reflector.

Or am I asking a very stupid question?

Thank you all for your very fast and useful replies. I don't want to use licensing over the internet, since the application is running not always on computers that are connected. I will then get probably more problems then solving them. We will now most probably go for a commercial solution. It seems that protection is not that trivial.

Could you tell us more about what kind of behavior you want to prevent? Do you want to keep people from turning the program on without a key? Block pirated installation attempts? Something else? Do you want to assign one key per customer, or several keys that all work, or one key for every copy? etc
–
ojracOct 22 '08 at 20:20

I run a software company that has dealt with this issue for nearly 20 years. As both a developer and a business owner, I'd like to first encourage you to broaden your goals a bit. For example, it is simply a mistake to define your problem as "preventing piracy." Your goal should be to maximize revenue.

With that being said, there are some people who simply will never buy your software but who may make fairly significant efforts to get it for free. It isn't "fair" that they get a free copy but placing a lot of resources into the effort to prevent it is largely a waste of time. Indeed, these folks often end up "going legit" simply to get on our update list, to get support or because their business evolves to the point where they can now afford our license. In these cases, the original piracy ends up enhancing our revenue.

So, how do we license?

We generate a random license number with each new install (a number between 10K and 99K does nicely). We then have an algorithm for generating a matching number (anything non-trivial will do). We use a random number, by the way, so that any attempt reinstall on another computer results in different license/match numbers.

Next, we ask users to call us on the phone to get the matching number for their license (this is important). The software looks at the matching number they enter and compares it to the matching value generated on the user's side. If there is a match, the software is fully activated.

I say that having them phone us is important because we use that as an opportunity to talk with them about their setup, answer any questions, and let them know they are dealing with real people. Very few people have the nerve to try calling and impersonating another company (we look them up and compare their information to our purchase database). Note that our package runs nearly $2K so phone calls are reasonable. If your package costs less and has higher volume, you could do this via email. Finally, we use the call-in to tell users how to get upgrades and technical support with their new license.

Finally, we store the key in the application's database (a locally-installed MSDE/SQL Express database) so that any attempt to copy the app will A) be non-trivial and B) bring over a lot of data specific to the organization that first bought the legitimate version (making them less likely to share). The licensing key is encrypted and "split" into two different keys that are kept in two different tables. Thus, a simple "find the key and enter it in the pirated version" will not work.

The bottom line? When you make the entire package more than just the software, build in a few basic protective mechanisms, and introduce the human element, you should see that you don't need the expense and trouble of a dongle to maximize revenue.

But if the user can easily decompile your software, they can either disable license check algorithm or use it for generating new license keys. Afterall you say your software compares the license code provided by you with the "matching value generated on the user's side". This implies that the code to generate these license codes is present in your code.
–
LeonZandmanApr 17 '09 at 14:39

5

You think my users can "easily decompile" my software? The VAST majority of computer users can barely use software. Truly, 99.99% wouldn't even understand what you mean by "decompiling software." Of the other 0.01%, maybe 1 in 100 would care enough to try. Of those, maybe half would succeed. I am not going to inconvenience 99.99995% of my users to prevent the last handful from cracking the app - it would be a horrible business decision.
–
Mark BrittinghamApr 17 '09 at 15:51

@Mark I'm generally in agreement with your perspective but do have to argue against your "99.99% aren't hackers" argument. Developers wrongly assume that since most of their users are incapable of hacking then it is protected against theft. However the problem isn't your user breaking the software, it's a hacker breaking the software then distributing it for everyone to use. That's a much more common scenario. Even users that aren't inclined to steal themselves might stumble across the hacked version in one of the myriad free download sites and not even realize they're using a hacked version.
–
Paul AlexanderMar 12 '12 at 17:58

1

@Paul - and one other thing. I have no alternative. Neither does anyone else. If you don't want to deal with the possibility of sophisticated hackers, then you'll have to work in another field.
–
Mark BrittinghamApr 25 '12 at 14:38

The absolute answer is, of course, that a determined and skillful attacker can break any protection, but, especially for software which is not in a high level of demand or fame, skillful and determined attackers are rare, so taking protective measures makes sense.

To validate a license, sending the key to a central location is the safest way, because they'd have to crack your server (or protocol, watch out) to be able to validate. That'd require connectivity to use the software which may or may not be feasible. You could also distribute a 'license server' along with your software for big installs that'd require only local network access. If you can't and have to validate locally only, you could write a dll in native code that'd make it harder to reverse engineer.

To protect the code itself, and make its protection harder to bypass, obfuscate:

And this is why Copy Protection and 'keeping honest users honest' is a losing battle. You don't need to keep honest users honest, they already are.

The majority of effective Copy Protection schemes these days center around doing occasional key-checks against a central server. Have the application check it's key against the central server every so often, and you can determine if the software is licensed correctly. I'm over simplifying things a lot, obviously, but that is one approach.

Basically, you will need to use a commercial solution. The approach here is different from a dongle, and you cannot expect to simply replicate a dongle.

Instead, the main solution is to use some kind of key that is calculated in part from things about the computer that is running the software. Keygens that do the same thing can be made by crackers, but so it goes. They could have simply patched your software to not look for a dongle.

My recommendation is, if it's livable, stick with the dongle. Those tend to be the most viable approaches.

If it's not an option, then definitely go to an outside provider. You'll be looking for, among other things, a few key features (no pun intended):

Secure storage of the key

License checking

Compile-time obfuscation (to make it harder to disassemble your app)

None of this is sure-fire. The bottom line is that developers have been fighting piracy for a long time, and we always lose when the pirates are determined enough. If your main goal is to keep honest people honest, then a decent commercial software protection package will probably do so for you.

Thank you for pointing out that your usage of the word "key" could be a pun, but this was not your intent. Had you not done this, I would have become immensely confused upon reading your post and had to do several days of analysis to realize if it could be a pun and if, in fact, you intended it.
–
OwenPOct 22 '08 at 20:50

Is this data simply commerical stuff or things you share with workers and so fort?

If it is the latter, perhaps you can write a quick c++ program to xor it. Basically if the key length is equal to the length of the document, it should be "unbreakable." What I do in c++ is create a buffer of random chars of the size of the document, then xor it, then simply send the document and key file seperately and then the other person xor them together to get back the document.

Generate the hash (SHA1, MD5, etc) for a key and hardcode the hash in your application. Distribute the key to your users. In your executable can check the hash of the user specified key against the hardcoded hash:

In general, software on a non-networked machine can be cracked. If your application is non-niche enough that pirates can sell cracked copies of it, you are going to see that out there. One solution I've heard of that apparently was successful is self-modifying code.

Nonetheless the experience tells that no only-software protection system is unbreakable and the time taken to hackers to break them is directly proportional to the worth of the protected content. No matter how advanced a protection system has ben used to prevent pirated copies of a popular game, the crack awaits a few months ahead.

You have stated that license server is a trouble for your system, but I wouldn't drop it right away. I think a license server, that issues a license at least the first program run (say a decrypt key different per installation) is the best deterrent measure to reduce piracy. Not only by the the strength of the encryption method but also and mainly because of the automatic registration system. If you let your customers know that the software activation key is unique per installation/user and that it is stored and matched to user's profile they would think twice about giving away the key+software.

If the answer is "yes", You can monitor the usage. (Do tell the customer about this functionality!)

If the answer is "no", You still can monitor the usage in most cases, but You cannot enforce a connection to Your servers for the product to work.

Do You want to add copy-protection to Your software? This is no rhetorical question, because

some software has to be customized by the software company or its partners. If anyone makes a copy of software, that has to be customized by experts, it just won't be of any use for him.

e.g. if an employee of Your customer wants to use Your high-end circuit-design software for his private projects at home and You give him the permission to do so, then You have someone at Your customers site, who will vote for Your product on every purchase decision.

the effort for a working copy protection could be higher than the loss created by unauthorized copies. (Remember, You can still include it in the next version.)